3 * Secure random number generator
5 * (c) 1998 Straylight/Edgeware
8 /*----- Licensing notice --------------------------------------------------*
10 * This file is part of Catacomb.
12 * Catacomb is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU Library General Public License as
14 * published by the Free Software Foundation; either version 2 of the
15 * License, or (at your option) any later version.
17 * Catacomb is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU Library General Public License for more details.
22 * You should have received a copy of the GNU Library General Public
23 * License along with Catacomb; if not, write to the Free
24 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
28 /*----- Header files ------------------------------------------------------*/
34 #include <mLib/bits.h>
45 #include "twofish-counter.h"
48 #define CIPHER_CTX twofish_counterctx
49 #define CIPHER_INIT twofish_counterinit
50 #define CIPHER_ENCRYPT twofish_counterencrypt
51 #define CIPHER_IVSZ TWOFISH_BLKSZ
52 #define CIPHER_KEYSZ TWOFISH_KEYSZ
54 #define HASH_CTX sha256_ctx
55 #define HASH_INIT sha256_init
56 #define HASH sha256_hash
57 #define HASH_DONE sha256_done
58 #define HASH_SZ SHA256_HASHSZ
60 /*----- Static variables --------------------------------------------------*/
62 static const grand_ops gops
;
64 typedef struct rand__gctx
{
73 { "Catacomb global random byte pool" },
77 /*----- Macros ------------------------------------------------------------*/
79 #define RAND_RESOLVE(r) \
80 do { if ((r) == RAND_GLOBAL) r = &rand_global.p; } while (0)
82 #define GENCHECK(r) do { \
83 unsigned gen = rand_generation(); \
84 if (r->gen != gen) { r->gen = gen; rand_gate(r); } \
87 #define TIMER(r) do { \
88 if ((r)->s && (r)->s->timer) \
92 /*----- Main code ---------------------------------------------------------*/
94 /* --- @rand_init@ --- *
96 * Arguments: @rand_pool *r@ = pointer to a randomness pool
100 * Use: Initializes a randomness pool. The pool doesn't start out
101 * very random: that's your job to sort out. A good suggestion
102 * would be to attach an appropriate noise source and call
106 void rand_init(rand_pool
*r
)
109 memset(r
->pool
, 0, sizeof(r
->pool
));
110 memset(r
->buf
, 0, sizeof(r
->buf
));
111 r
->gen
= rand_generation();
114 r
->ibits
= r
->obits
= 0;
116 r
->s
= &noise_source
;
121 /* --- @rand_noisesrc@ --- *
123 * Arguments: @rand_pool *r@ = pointer to a randomness pool
124 * @const rand_source *s@ = pointer to source definition
128 * Use: Sets a noise source for a randomness pool. When the pool's
129 * estimate of good random bits falls to zero, the @getnoise@
130 * function is called, passing the pool handle as an argument.
131 * It is expected to increase the number of good bits by at
132 * least one, because it'll be called over and over again until
133 * there are enough bits to satisfy the caller. The @timer@
134 * function is called frequently throughout the generator's
138 void rand_noisesrc(rand_pool
*r
, const rand_source
*s
)
144 /* --- @rand_seed@ --- *
146 * Arguments: @rand_pool *r@ = pointer to a randomness pool
147 * @unsigned bits@ = number of bits to ensure
151 * Use: Ensures that there are at least @bits@ good bits of entropy
152 * in the pool. It is recommended that you call this after
153 * initializing a new pool. Requesting @bits > RAND_IBITS@ is
154 * doomed to failure (and is an error).
157 void rand_seed(rand_pool
*r
, unsigned bits
)
161 assert(((void)"bits pointlessly large in rand_seed", bits
<= RAND_IBITS
));
162 assert(((void)"no noise source in rand_seed", r
->s
));
164 while (r
->ibits
< bits
)
169 /* --- @rand_key@ --- *
171 * Arguments: @rand_pool *r@ = pointer to a randomness pool
172 * @const void *k@ = pointer to key data
173 * @size_t sz@ = size of key data
177 * Use: Sets the secret key for a randomness pool. The key is used
178 * when mixing in new random bits.
181 void rand_key(rand_pool
*r
, const void *k
, size_t sz
)
185 static const char label
[] = "Catacomb random pool key";
189 assert(HASH_SZ
>= RAND_KEYSZ
);
191 HASH(&hc
, label
, sizeof(label
));
192 if (sz
) HASH(&hc
, k
, sz
);
194 memcpy(r
->k
.k
, h
, RAND_KEYSZ
);
197 /* --- @rand_add@ --- *
199 * Arguments: @rand_pool *r@ = pointer to a randomness pool
200 * @const void *p@ = pointer a buffer of data to add
201 * @size_t sz@ = size of the data buffer
202 * @unsigned goodbits@ = number of good bits estimated in buffer
206 * Use: Mixes the data in the buffer with the contents of the
207 * pool. The estimate of the number of good bits is added to
208 * the pool's own count. The mixing operation is not
209 * cryptographically strong. However, data in the input pool
210 * isn't output directly, only through the one-way gating
211 * operation, so that shouldn't matter.
214 void rand_add(rand_pool
*r
, const void *p
, size_t sz
, unsigned goodbits
)
219 #if RAND_POOLSZ != 128
220 # error Polynomial in rand_add is out of date. Fix it.
225 i
= r
->i
; rot
= r
->irot
;
229 r
->pool
[i
] ^= (ROL8(o
, rot
) ^
230 r
->pool
[(i
+ 1) % RAND_POOLSZ
] ^
231 r
->pool
[(i
+ 2) % RAND_POOLSZ
] ^
232 r
->pool
[(i
+ 7) % RAND_POOLSZ
]);
234 i
++; if (i
>= RAND_POOLSZ
) i
-= RAND_POOLSZ
;
240 r
->ibits
+= goodbits
;
241 if (r
->ibits
> RAND_IBITS
)
242 r
->ibits
= RAND_IBITS
;
245 /* --- @rand_goodbits@ --- *
247 * Arguments: @rand_pool *r@ = pointer to a randomness pool
249 * Returns: Estimate of the number of good bits remaining in the pool.
252 unsigned rand_goodbits(rand_pool
*r
)
255 return (r
->ibits
+ r
->obits
);
258 /* --- @rand_gate@ --- *
260 * Arguments: @rand_pool *r@ = pointer to a randomness pool
264 * Use: Mixes up the entire state of the generator in a nonreversible
268 void rand_gate(rand_pool
*r
)
270 octet h
[HASH_SZ
], g
[4];
277 /* --- Hash up all the data in the pool --- */
280 STORE32(g
, r
->gen
); HASH(&hc
, g
, sizeof(g
));
281 HASH(&hc
, r
->pool
, RAND_POOLSZ
);
282 HASH(&hc
, r
->buf
, RAND_BUFSZ
);
286 /* --- Now mangle all of the data based on the hash --- */
288 assert(CIPHER_KEYSZ
<= HASH_SZ
);
289 CIPHER_INIT(&cc
, h
, CIPHER_KEYSZ
, 0);
290 CIPHER_ENCRYPT(&cc
, r
->pool
, r
->pool
, RAND_POOLSZ
);
291 CIPHER_ENCRYPT(&cc
, r
->buf
, r
->buf
, RAND_BUFSZ
);
294 /* --- Reset the various state variables --- */
297 r
->obits
+= r
->ibits
;
298 if (r
->obits
> RAND_OBITS
) {
299 r
->ibits
= r
->obits
- r
->ibits
;
300 r
->obits
= RAND_OBITS
;
306 /* --- @rand_stretch@ --- *
308 * Arguments: @rand_pool *r@ = pointer to a randomness pool
312 * Use: Stretches the contents of the output buffer by transforming
313 * it in a nonreversible way. This doesn't add any entropy
314 * worth speaking about, but it works well enough when the
315 * caller doesn't care about that sort of thing.
318 void rand_stretch(rand_pool
*r
)
320 octet h
[HASH_SZ
], g
[4];
327 /* --- Hash up all the data in the buffer --- */
330 STORE32(g
, r
->gen
); HASH(&hc
, g
, sizeof(g
));
331 HASH(&hc
, r
->pool
, RAND_POOLSZ
);
332 HASH(&hc
, r
->buf
, RAND_BUFSZ
);
336 /* --- Now mangle the buffer based on the hash --- */
338 assert(CIPHER_KEYSZ
<= HASH_SZ
);
339 CIPHER_INIT(&cc
, h
, CIPHER_KEYSZ
, 0);
340 CIPHER_ENCRYPT(&cc
, r
->buf
, r
->buf
, RAND_BUFSZ
);
343 /* --- Reset the various state variables --- */
349 /* --- @rand_get@ --- *
351 * Arguments: @rand_pool *r@ = pointer to a randomness pool
352 * @void *p@ = pointer to output buffer
353 * @size_t sz@ = size of output buffer
357 * Use: Gets random data from the pool. The pool's contents can't be
358 * determined from the output of this function; nor can the
359 * output data be determined from a knowledge of the data input
360 * to the pool wihtout also having knowledge of the secret key.
361 * The good bits counter is decremented, although no special
362 * action is taken if it reaches zero.
365 void rand_get(rand_pool
*r
, void *p
, size_t sz
)
376 if (r
->o
+ sz
<= RAND_BUFSZ
) {
377 memcpy(o
, r
->buf
+ r
->o
, sz
);
381 size_t chunk
= RAND_BUFSZ
- r
->o
;
383 memcpy(o
, r
->buf
+ r
->o
, chunk
);
391 if (r
->obits
> sz
* 8)
397 /* --- @rand_getgood@ --- *
399 * Arguments: @rand_pool *r@ = pointer to a randomness pool
400 * @void *p@ = pointer to output buffer
401 * @size_t sz@ = size of output buffer
405 * Use: Gets random data from the pool, ensuring that there are
406 * enough good bits. This interface isn't recommended: it makes
407 * the generator slow, and doesn't provide much more security
408 * than @rand_get@, assuming you've previously done a
412 void rand_getgood(rand_pool
*r
, void *p
, size_t sz
)
420 if (!r
->s
|| !r
->s
->getnoise
) {
430 if (chunk
* 8 > r
->obits
) {
431 if (chunk
* 8 > r
->ibits
+ r
->obits
)
432 do r
->s
->getnoise(r
); while (r
->ibits
+ r
->obits
< 256);
434 if (chunk
* 8 > r
->obits
)
435 chunk
= r
->obits
/ 8;
438 if (chunk
+ r
->o
> RAND_BUFSZ
)
439 chunk
= RAND_BUFSZ
- r
->o
;
441 memcpy(o
, r
->buf
+ r
->o
, chunk
);
443 r
->obits
-= chunk
* 8;
449 /*----- Generic random number generator interface -------------------------*/
451 static void gdestroy(grand
*r
)
454 if (g
!= &rand_global
) {
460 static int gmisc(grand
*r
, unsigned op
, ...)
469 switch (va_arg(ap
, unsigned)) {
472 case GRAND_SEEDUINT32
:
473 case GRAND_SEEDBLOCK
:
490 case GRAND_SEEDINT
: {
491 unsigned u
= va_arg(ap
, unsigned);
492 rand_add(&g
->p
, &u
, sizeof(u
), sizeof(u
));
494 case GRAND_SEEDUINT32
: {
495 uint32 i
= va_arg(ap
, uint32
);
496 rand_add(&g
->p
, &i
, sizeof(i
), 4);
498 case GRAND_SEEDBLOCK
: {
499 const void *p
= va_arg(ap
, const void *);
500 size_t sz
= va_arg(ap
, size_t);
501 rand_add(&g
->p
, p
, sz
, sz
);
503 case GRAND_SEEDRAND
: {
504 grand
*rr
= va_arg(ap
, grand
*);
506 rr
->ops
->fill(rr
, buf
, sizeof(buf
));
507 rand_add(&g
->p
, buf
, sizeof(buf
), 8);
516 const void *k
= va_arg(ap
, const void *);
517 size_t sz
= va_arg(ap
, size_t);
518 rand_key(&g
->p
, k
, sz
);
521 rand_noisesrc(&g
->p
, va_arg(ap
, const rand_source
*));
524 rand_seed(&g
->p
, va_arg(ap
, unsigned));
530 rc
= rand_goodbits(&g
->p
);
533 const void *p
= va_arg(ap
, const void *);
534 size_t sz
= va_arg(ap
, size_t);
535 unsigned goodbits
= va_arg(ap
, unsigned);
536 rand_add(&g
->p
, p
, sz
, goodbits
);
547 static octet
gbyte(grand
*r
)
551 rand_getgood(&g
->p
, &o
, 1);
555 static uint32
gword(grand
*r
)
559 rand_getgood(&g
->p
, &b
, sizeof(b
));
563 static void gfill(grand
*r
, void *p
, size_t sz
)
566 rand_get(&g
->p
, p
, sz
);
569 static const grand_ops gops
= {
573 gword
, gbyte
, gword
, grand_defaultrange
, gfill
576 /* --- @rand_create@ --- *
580 * Returns: Pointer to a generic generator.
582 * Use: Constructs a generic generator interface over a Catacomb
583 * entropy pool generator.
586 grand
*rand_create(void)
588 gctx
*g
= S_CREATE(gctx
);
594 /*----- That's all, folks -------------------------------------------------*/